Violation of GDPR "Data minimisation"
complete
Dominik 25kt
From the FAQ:
Do you have to submit an un-edited ID to Persona?
Yes, you must send your unedited, full ID to Persona. Obfuscating, blocking, blurring, or otherwise removing information from your ID will cause a failure to verify.
Is Persona subject to the GDPR?
Yes, it is. Any company or organization that processes data of users within the EU must comply with the GDPR, even if they aren’t based in the EU (GDPR Article 3).
Those 2 don't go together,
Art. 5 (1) (b) of the GDPR
> collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
Art. 5 (1) (c) of the GDPR
> adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
Art. 25 (2) of the GDPR
> The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed
meaning we are allowed to block out all information that is not needed (meaning pretty much everything except birth year (if the year alone makes it clear that we are 18+) and maybe the picture to verify that we are actually the owner of the ID)
Log In
Tupper - VRChat Head of Community
complete
Thanks for raising these concerns.
We understand your desire to minimize what data you share. However, it is important to remember that our verification process must ensure IDs are both valid and legitimate. As required under GDPR Article 5, we collect and process ID data solely for the legitimate purpose of verification, and our practices are designed to meet the principles of adequacy, relevance, and limitation. Once the data is processed, we retain the bare minimum (e.g. a hash and birth date) to maintain security and regulatory compliance. All other ID data is deleted.
A blurred ID with a birthday is not sufficient to confirm an ID’s legitimacy. We don’t disclose the exact methods and data we use for verification as doing so could make the process easier to circumvent. Rest assured that we continually review our policies and practices to keep data use as minimal and transparent as possible.
Geckσ
Tupper - VRChat Head of Community Sure, you cann assure something in your philosophy and company's policy, but the fact that Persona is currently in 2 class action lawsuits does not help with privacy + trust related issues in a positive way. I will refrain from using that system, entirely, and many others will too.
SaphiGoat
Tupper - VRChat Head of Community A unblurred ID activly put people at danger.
There is no way to be sure, that persona will handle it correctly.
There should be other ways to confirm that I'm an adult. Like a code inside a transaction (bank account, creditcard, paypal). Age of linked steam account.
MyFedora
Tupper - VRChat Head of Community Oh, great, security through obscurity. Exactly what I want to hear when handing over my unredacted ID and selfie to Persona.
Look, be glad that most people online misinterpreted the privacy update video as a good thing. The video comes across more like, "Hey, we hear your concerns, we'll make a few changes to protect your privacy. We really do care, trust us." instead of "We've been prioritizing privacy from the start. As for age verification, we already do X, Y and Z, and are planning to do A, B and C to protect your privacy. Here's how we've proactively restructured our development processes and trained our engineers to bake privacy into everything we do."
The fact that hashing data only came up now is concerning. As a developer who values privacy, this should've been a given from the start. Hashing sensitive data is basic practice, not some advanced concept. It being introduced at this stage feels more like a reaction to public pressure than a genuinely thought-out design decision, which is extremely unsettling.
I've worked at startups where privacy wasn't even on the radar, where collecting unnecessary data was the norm and pushing back against violations was met with hostility. But out in public? They'd preach about privacy like saints. I'm getting that vibe here with VRChat, especially after the public announcement.
Also, let's be clear: Providing an unredacted ID and a selfie is textbook definition identity verification, not age verification. It's enough personal data to pass a bank's identity check in my country.
Utami Hasegawa
Tupper - VRChat Head of Community To be fair, I don't think the issue here is "desire to minimize what data you share."
I think the issue is whether or not Persona (and presumably VRChat as well in their role as data controller) is following the law with regard to only collecting information that's specifically necessary for verifying a user's age.
If VRChat doesn't disclose the methods it uses for age verification and why it necessitates an unredacted ID, how does that comply with the GDPR requirement that the purpose for collecting the data be specified?
Dominik 25kt
MyFedora
> Also, let's be clear: Providing an unredacted ID and a selfie is textbook definition identity verification, not age verification.
Pretty much yea, I don't wanna accuse the VRC team as being malicious but it feels a bit like the name "Age Verification" was chosen because "Identify Verification" would have made too many people angry.
Dominik 25kt
Tupper - VRChat Head of Community
> A blurred ID with a birthday is not sufficient to confirm an ID’s legitimacy. We don’t disclose the exact methods and data we use for verification as doing so could make the process easier to circumvent. Rest assured that we continually review our policies and practices to keep data use as minimal and transparent as possible.
Keeping as little data as possible is great and a step forward compared to the original system but GDPR Article 5 also says processing the minimum amount of data and since you practice "security through obscurity" and are not telling us what kind of data you're processing I assume you process everything which is quite excessive for a simple Age Verification especially considering that digital IDs with age verification function are a thing which depending on the implementation of the country provides you as little data at "yes the person is 18+" and a picture so you can verify that the digital ID actually belongs the person verifying (and you can just hash the picture provided by the digital ID to make sure only 1 person is using it).
The best way to care about privacy as a company is collecting as little data as possible.
Chirping_Cat
MyFedora A lot of countries require 100 points of ID and specifically an address so.... use a form of ID that hasn't got the address on it.
Further, to reliably perform age verification you have to confirm the veracity of the ID document used.
SaphiGoat
Chirping_Cat identity theft is far more worse then just a leaked Address or payment info.
Someone can create Bank Accounts in your name for example, or use it for all other sorts of crimes.
MyFedora
Chirping_Cat Or, hear me out, use an age verification method that respects my privacy instead.
We have a government app for digital age verification. We have e-banking apps with digital age verification. We have post offices with in-person age verification.
There's no excuse for sticking with outdated, easily bypassed systems when we've got infrastructure in place to verify age reliably and securely.
Instead, they're opting for these expensive, unreliable and privacy-invasive solutions. They're begging for criticism.
Geckσ
As NiniNia said, blurring everything which is NOT a necessity for the process itself (verifying the age via birthdate (even the year itself should be enough), and the face for the actual visual validation) should be mandatory, and that shouldn't be exclusive to the EU.
I am an EU citizen, and I will not use this service, especially with the class action lawsuits (data abuse) currently running against Persona.
If the majority of the worlds switching over to +18 (group settings), resulting into blocking any regular unverified +18 user from accessing the social aspect of this whole purpose, I will leave VRC for good. I am not here to hang around with minors.
Tupper - VRChat Head of Community
Merged in a post:
Age verify changes from 11.12.24
Scribble Clash
First, thank you for trying to adress the issues. But the changes do little to alleviate the main issue - that being you asking for a full, unobfuscated ID. This stays a high security risk and is completly unnecessary for age verification.
The only reason to keep this is identity verification (what the hash is necessary for). Everyones guess is as good as mine as to why this is so important to VRC.
If Persona can't, or VRC wont, allow obfuscation, then this is remains unusable to me.
Tupper - VRChat Head of Community
Merged in a post:
Laws might be more complicated than you think
EinDev
As per Art. 5 GDPR you are required to store as minimal data as needed.
In your FAQ you mention that only requesting to delete _all_ data will affect the verification status. This does not comply with the data minimization section.
Besides that - storing a photocopy of an ID is illegal in Germany for non-financial reasons. Wether or not you need to comply with those laws depends on wether or not you target german customers. As you implemented a german translation for your software, offer most payment methods used in germany and even explicitly invite EU-based customers by having seperate servers, i think it is clear that this means you are targeting german customers.
I am not a lawyer, but i hope you have got it checked by a lawyer with a decent knowledge about international rights. Cause i will.
And just to clarify: This is nothing personal, I was really looking forward towards age verification. We have all this technology, with IDs with a digital chip in them. I honestly do not understand why international companies still prefer visual verification of IDs. It is so much easier to use the features german IDs provide.... This way you don't even have to involve a human, you can fully automate this. Just like the government does.
Tupper - VRChat Head of Community
Merged in a post:
Blur unnecessary information
NiniNia
As a German citizen it's my right to only show the needed relevant information, in this case that's my face, ID photo and my birthdate on the ID, since the whole purpose is to 1. confirm my age and for this matter 2. confirm I am the ID holder
It's not in compliance with GDPR to request the whole ID data
ByteByte-Baxi
They sadly don't care about your rights. Time to move to other platforms. Everyone to resonate
Chirping_Cat
ByteByte-Baxi When Easy Anti-Cheat (EAC) rolled out, there were skeptics who swore it would ruin everything and threatened boycotts. But guess what? The vast majority of players adapted, those who threatened boycotts got over it, and many came to like the change because it meant fewer clients and a better experience overall.
The same logic applies here despite the fire and brimstone you're painting out: Adults want spaces free of minors, and robust age verification is the way to get there... I wouldn't be investing money in Resonite or CVR on the assumption they're going to suddenly take off anytime soon.
ByteByte-Baxi
Chirping_Cat EAC was not asking for your full un modified government documents get out of my face with this bullshit comparison
Chirping_Cat
ByteByte-Baxi I don't think you understood my point. What you're saying is I reckon you're overestimating how many people are against this. If VRChat survived the EAC drama, it'll breeze through this without losing any real value.
I mean, only 52 people bothered upvoting this Canny in 15 days—that’s practically nothing. Compare that to over 20,000 responses on day one of the EAC rollout. Meanwhile, Resonite is still a ghost town, and VRChat’s going strong.
But hey, no need to worry about age verification when you’re playing solo on Resonite, right?
ByteByte-Baxi
The devs will just keep lieing and hideing this until nobody sees it. So im going to try and upvote you. You get ban from the discord and reddit for this now though. So bringing it up there is likely not a good idea.
ღ KΛΣƬΉΣ ღ
As a duchy we are by law prohibited to send full copies of or id to any company that is not permitted by the Dutch government.
Besides that persona is already in multiple lawsuits for distributing the id information to there partners who train ai.
Dominik 25kt
It's not just german citizens, its all EU citizens, GDPR Art. 5 requires companies to allow that
netforce10
Same thing applies in the Netherlands, and I suspect many more countries in the european union.
A third party is not inherently more trusted, not even if they also work with other big companies, it just means there's more and more incentive to skirt the line or ignore laws. The more data you have the more interesting it becomes to actually use it to train an AI for example. That might also be one of the reasons for disallowing any modification, to get the most uniform data set possible, but that would be pure speculation on my part.
Load More
→